Epsilon helps mug you at home

It is one thing to be out on the street and randomly mugged, but quite another to have someone follow you home, trick you into letting them into your house, and then being robbed in your own living room.

'We regret to inform you': The Epsilon breach letters you don't want to see

Equally it is one thing to be phished frequently but quite another to be spearphished just as often.

We all know phishing is an email message sent by some miscreant that appears to be from an entity you recognize. The goal is to persuade you to reveal personal details such as an account login or your Social Security number. Spearphishing is much the same except the miscreant has some knowledge about you and your relationship with the entity the message claims to be from, which improves the chances you will believe the ploy.

While phishing is quite common -- the [U.S. Computer Emergency Readiness Team (US-CERT) estimates that 53 per cent of all security incidents in 2010 involved phishing or spearphishing -- spearphishing is less so.

That was until now. In the near future you can expect spearphishing to become very commonplace thanks to a company you probably never heard of until this week: Epsilon, a division of another company most of you will know nothing about, Alliance Data.

According to Wikipedia, Epsilon provides "database marketing, direct mail, email marketing, Web development, loyalty programs, analytics, data services, and strategic consulting" for over 2,500 clients, including 1-800-Flowers, Best Buy, Capital One, Citi, JCrew, Target, TD Waterhouse, TiVo, Verizon, Victoria's Secret and Walgreens.

Until March 30 this year, Epsilon was highly respected in its industry with Ad Age ranking the company among the top marketing services firms and direct marketing agencies in 2006, 2007, 2008, 2009 and 2010.

That respect is now history because, as if to jump the gun on a particularly unfunny April Fool's Day joke, Epsilon suffered a data security breach of biblical proportions: More than 50 companies are now known to have had their customer email lists swiped by hackers and the final total of customer records involved will be in the upper tens of millions.

Epsilon's site somewhat explains the breach:

IRVING, TEXAS - April 1, 2011 - On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

The company noted that the "subset" was "approximately two per cent of total clients and are a subset of clients for which Epsilon provides email services."

It is amusing to note that Epsilon's tag line is, ironically, "Marketing as usual. Not a chance." Indeed.

What's interesting is to watch the ripples since the announcement. Every day since the breach one or two new companies announce that their customers are vulnerable. So far it appears to be true that all that was stolen are lists of customer names and email addresses, but losing that huge amount of data is extremely serious.

For some companies, there's a real risk that gullible staff will receive bogus emails that they will believe and act upon without much thought. For example, while not related to this Epsilon fiasco, consider how the publishing house Conde Nast was tricked into paying nearly $8 million to a scammer because of what was, in effect, a successful spearphishing attempt.

While the corporate impact could be significant, the biggest risk, is to consumers. Once the relationship between a brand and a consumer is established, the consumer's guard is down and even sophisticated Internet users can click on what seems to be a valid, safe link in a message from their bank or their favorite retailer and be exposed to malware or land on a bogus Web page that attempts to glean their personal details.

In short, this is a security problem on a scale that I think exceeds the Comodo hack I discussed last week because it is far more diffuse and far more pernicious. It also, potentially, has far greater total financial consequences.

So now we come to the big question: What can you do? In your organization, you need to circulate a memo, ideally from the CEO, warning users to be critical and discerning about messages they receive from any organization and how they should act on them. And when it comes to your family and friends, take the time to explain the issues simply and in detail.

You might point both groups to the Network World article "Five tips to avoid getting phished", but you'll probably have to explain the details as there's a lot to understand.

The bigger issue is what are companies who use Internet email marketing going to do? We, their customers, can no longer trust their messages because the effort it takes to ensure that each email link is valid will be enormous.

Imagine a hacker with Citi's email database sending out, say, 1,000,000 messages that confirm a fake password reset or a fake financial transactions and just 0.1 per cent of the recipients get "taken". That's 1,000 accounts that could be compromised.

Say, half of those are successful for an average of $5,000 per account, that's $2.5 million! Do you think that's worthwhile effort for a hacker to send out a few emails? How about half of that? Or even a quarter? A thousand here, a thousand there and soon you're talking real money.

I have no idea what the answer to this enormous problem might be but I know that it is a problem on scale we've never seen before and until it is solved, we're going to see the cost of fraud escalate dramatically. And who will wind up footing the bill? You guessed it: Consumers.

So until there's a viable, globally applicable, and effective solution, brace yourself because the SNAFU at Epsilon will be repeated over and over and it will be like being followed home and being robbed over and over again in your own living room.

Worse still, not only will you be robbed by the bad guys, you'll pay for it through increased bank fees. That will be like getting robbed twice.

Gibbs is hunkered down in Ventura, Calif. Outline your defenses to backspin@gibbs.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityU.S. Computer Emergency Readiness Team

More about Capital OneCERT AustraliaComodoEpsilon InteractiveING AustraliaLANTD WaterhouseTiVoTiVoVerizonVerizonWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Gibbs

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place